STATE OF CYBER SECURITY:
RECRUITMENT INDUSTRY

APSCo

X

Atlas Cloud Ltd

Updated July 2023

Originally published in 2022, Atlas Cloud’s recruitment industry cyber audit has returned for its second year.

/ THIS RESEARCH

Sample: Recruitment agencies from APSCo UK memberships
Published: Recruiter magazine
Sample Size: 584
Conducted: May '22 & July '23

/ READ MORE

Featured in…

Are you an APSCo member?
Your agency was included in this research. You're entitled to review your individual report.
Your report is automated but we will be confirming your employment with the relevant organisation.

🔑 STOLEN PASSWORDS

Did you know?   Stolen and/or weak passwords account for 81% of hacking-related breaches*.

/ agencies WITH stolen passwords

Employee username and password details become breached when they’re circulating on lists on the Dark Web. They can be used by criminals to gain access to corporate IT systems.

/ VOLUME OF BREACHED PASSWORDS PER agency

The more passwords available, the greater the likelihood of criminal success.

expert
insight

Pete Watson - CEO, Atlas Cloud

Pete Watson

CEO, Atlas Cloud

“We’re all bound by the GDPR, which the UK adopted post-Brexit, to protect personal data. Directors often delegate cyber risks yet are the ones answering the ICO if anything ever happens – we need to break this dichotomy.

“Since our study last year, we’ve had a real-world reminder of what happens when candidate information unlawfully gets into the wrong hands. Costs spiral the moment you inform affected candidates, as you’re duly bound to do. From direct costs like candidate compensation claims to indirect costs like clients, candidates – eventually – consultants preferring to work with agencies without tainted reputations.”

🎣 phishing protection [new for '23]

/ agencies at risk from phishing

2 in 3 agencies didn’t have phishing protection, the remaining may but we couldn’t validate that. 

expert insight

“On the face of it, you think your own employees are smart enough to detect spoofing and therefore write off the need for specialised protection. But you’re devaluing the power of social engineering.

“Sure, catch-all attempts will be ignored by your employees but criminals are far more sophisticated these days, especially when they can earn so much. They’ll typically look to find out key information in advance from other employees, like who the company banks with and what days it makes pay runs. Then use this information in the phishing attempt.

“So, when you get an email request from the CEO containing information only known internally, you tend not to question it. It costs thousands.”

Pete Watson - CEO, Atlas Cloud

Pete Watson

CEO, Atlas Cloud

💻 DOMAIN VULNERABILITIES

/ agencies with
DMARC applied

DMARC adoption has jumped up from less than 1 in 4 agencies last year! It stops criminals from hijacking your domain.

/ DOMAIN VULNERABILITIES BY SEVERITY

Domains are used in corporate web and email addresses; vulnerabilities can creep in based on configurations. Issues have decreased significantly since last year!

expert
insight

Pete Watson - CEO, Atlas Cloud

Pete Watson

CEO, Atlas Cloud

“It’s great to see our research from last year may have been making an impact.

“Directors looking to take a more hands-on approach should start with a simple third-party cyber audit or consider running the agency through the Government-backed Cyber Essentials scheme.”

🌐 WEBSERVER VULNERABILITIES

/ agencies with webserver vulnerabilities

Webservers govern websites and often process/store candidate CVs, containing valuable personal information.

expert insight

“These are often simple fixes, like keeping your website’s content management system up-to-date.”

“Given the ease of solution, it’s a risk no agency leader should accept.”

Pete Watson - CEO, Atlas Cloud

Pete Watson

CEO, Atlas Cloud

BACKED BY THE TRADE

VIEWS FROM APSCO CEO, ANN SWAIN

“I’m delighted to see our groundbreaking industry research return for a second year running.

"We’re already seeing positive steps by the industry de-risking, but it doesn’t take a cyber expert to realise that more can and should be done.”

VIEW YOUR PERSONALISED REPORT

/ When was the last time you reviewed cyber insights?

4 in 5

…of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority.

39%

…of UK businesses have identified a cyber-attack within the last 12 months.

Official UK Gov. statistics from the NCSC

APSCO MEMBERS ENTITLED TO REVIEW THEIR CYBER REPORTS

As UK-based APSCo members are included in the study, relevant representatives are entitled to review the results relevant to their organisation for a limited time.

Reports are automated but, due to the nature of the content, we will be validating that requesting individuals are representatives of the organisation they’re wishing to review. 

FREQUENTLY ASKED QUESTIONS

All of the information we have surfaced is publically available. It’s typically the data criminals will first review before deciding whether to form an attack, so a key first line of defence to get in order.

This is an automated cyber audit that has been compiled by Atlas Cloud to help the recruitment industry learn more about risk.

You are free to use this information however you wish – hopefully, it will inform your Risk Register and help you make more informed decisions about whether your cyber risks need to be addressed.

No matter what solutions you have in place, cyber risks build up over time. The Data Protection Act (2018) states agencies must take reasonable steps to protect any personal data, ensuring security “against unlawful or unauthorised access”.

If your risks are exploited and candidate information is accessed without authorisation, you face ani nvestigation from the Information Commissioner’s Office (ICO). They can fine up to £8.7 million or 2% of turnover, whichever is greater.

Our latest case study summarises the known events from a breach at Acorn Recruitment.

In it, candidate data was stolen and the agency had to deal with compensation claims. We also found law firms offering ‘no win, no fee’ services for the specific event.

Read the full case study >>

The simple answer is this: If you have an IT solution in place, it doesn’t necessarily mean you have your cyber security risks taken care of.

When you buy or implement an IT solution, it should obviously be secure. However, as time passes, security risks creep in that need to be periodically assessed and considered.

Brought to you by...

I.T. SERVICES FOR RECRUITERS

Scale faster with fewer risks.

© Atlas Cloud Limited 2023, registered number: 07297347

3rd Floor, Maybrook House, 27 Grainger Street, Newcastle upon Tyne, NE1 5JE

New Research

Our recent, nationwide research shows what can be learnt from working during lockdown. Download the report today.

Sign up to newsletter?*
Privacy Notice: We won’t sign you up to any marketing mailing lists (unless you ask us to*) but we may email you to make sure you have been able to access the content successfully. View our privacy policy.